Do They Need to Know?

Do users need to know about computer security? The vast and growing literature of computer security suggests that solutions to most security issues are currently being sought purely through technology. Humanity obtrudes into the literature primarily in the guise of hackers and disaffected administrators, in the debate over which is the greater threat. The average user is strangely absent, like the labourer in eighteenth century landscape painting. True, a little consideration has been given to the special problems of making security software useable, and some thought has been given to how to raise security awareness. There must be something out of balance here, however exciting the subjects of encryption, biometrics and other cutting edge technology are. For although a lot can be done to create a 'safe environment' for users, this will never be the whole answer. It is marvellous to offer the user software to encrypt email, for example, but they need to know when to use it. Policies and user education must be at the heart of any organisation's security strategy.

It is probably not appropriate for an organisation such as a University to give away too much about the methods it adopts to protect the network from external and internal attack. But it is arguable that users should be told about the extent of such attacks. They rarely are. If they were, they might have a stronger sense of the value of computing services' work, and a greater appreciation of the value of a stable network which is increasingly taken for granted. If they were they might see how dangerous the Internet can be. In fact for them not to have a sense of the risks, leaves them very vulnerable when they go on to use computers in other settings, especially at home. An appreciation of the security aspects of using computers is a life skill.

Knowledge at this level is important, but it is probably at a mundane practical level that security seems most pressing to users. Users are concerned with such day to day security matters as back-ups, viruses and passwords. Their main concern is to get the job in hand done. Security measures can seem be an annoyance; but they are also mission critical.

How much do we really know about users' day to day experience of using computers? Or about their attitudes to computers in general and security aspects of computing in particular? We get a sense of what is going at the helpdesk; but helpdesk users are of course the minority, with a specific problem, that they choose to present to support officers. A JISC workshop in June 1998 recognised the gap in understanding and an invitation to explore the topic was included in JISC Committee for Awareness, Liaison and Training Programme 4/99 call in November 1999 (1).

The project

The result of the call was that LITC, South Bank University (2) and the University of Glasgow (3) were funded to conduct a study of the human and organisational issues associated with network security, during 2000.

A variety of methods of research were used including expert workshops and in-depth interviews. But the primary method was a substantial questionnaire. The questionnaire was trialed at South Bank and Glasgow, then given to staff and student users at a number of 'outer core' sites in HEIs around the country. The respondents represent only a small group from the total potential population. No controlled sampling took place. The scene is rapidly changing due to changes in computer environments to arrive at a definitive picture of users' attitudes and time would have moved on by the time results were collated. But the picture built up from responses that were received is plausible. And the survey uncovered a number of interesting findings which service managers may wish to ponder in their own context.

Headline survey findings

Users acknowledged feelings of uncertainty and ignorance. One respondent commented: "I would never, if I could help it, put anything personal, private or financial to me, anywhere near a computer. I do not have confidence in computer security at all." The problem of course is that he or she cannot 'help it'. Computers are central to how we work in HE today. So the issue cannot be ducked. For those running the network, winning the confidence of users by increasing their understanding of the nature of the risks, is surely as much part of providing a fundamentally sound service, as are reducing system down time and building a reliable network. The survey found uncertainty, but not a lack of motivation for security or interest in the subject. And if that motivation exists that is the basis for a security culture, comparable to a health and safety culture, with all protecting all. A knowledgeable user can be first to notice and report issues to service administrators.

Another respondent remarked: "I don't feel I have ever been told ANYTHING about IT security here!" Of course in a sense this is absurd. Most computing services constantly issue advice and support to users, with an element or even stress on security. All the relevant policies are publicly available on the Web. Most training courses will involve something on security issues. Having said this, it is probably not very surprising to the reader to discover that many people do not read policies. Perhaps this reflects how they were written, as a simple list of DON'Ts, as much as anything. But the fact that policies are seen quite negatively, and as existing primarily to protect IT staff is a dangerous state of affairs. In some of the surveyed institutions there were distinctly negative views towards policies.

One aspect of attitudes that we were particularly interested in was users' sense of responsibility. The results suggested that users did not always understand that the responsibility lies at least partly with them to protect themselves. There was also a tendency to underestimate the effect of one's actions on others.

The survey asked a series of questions about security issues: viruses, backups, passwords. A small number of respondents do get a lot of viruses, but on the whole people had few, and seemed to be positive about the importance of scanning, even if fewer actually do it. There were marked differences in attitude between institutions, perhaps reflecting different computing and support environments. Interestingly people were slow to acknowledge the cost of the virus problem to the University as an institution.

Users seem confused about backups: stressing their importance but not actually making them consistently. A large number of people acknowledged that they had lost an important file because of accidental deletion or because it had become corrupted. That is why saving important files to shared drives, that are backed up automatically is such an advance in security. Is there, however, a knowledge gap that needs to be filled? It is a key issue for students, are institutions doing enough to make secure practice easy?

Perhaps the most unsatisfactory attitudes are found when looking at passwords. Risky password practices are quite common, especially writing down passwords and sharing them. Perhaps this reflects practical realities of needing to remember multiple passwords. The multiplicity of usernames and passwords was commonly cited as an irritation. It might also reflect practical need where responsibilities are shared. This suggests that advice that advocates, in the face of the practical reality, that people treat all their passwords as requiring the same level of protection. without acknowledging that some matter more than others.

How well do users understand the risks implicit in what they do? The responses to the questionnaire suggested that very serious, less obvious threats such as impersonation are underestimated risks. Users rated the deletion of files above the sending of emails under one's name. They were also confused about how they would know if their account had been tampered with.

Looking at general attitudes to the safety of the Internet; the survey indicated that people may not fully understand the risks of sending confidential information by email; while they are much more cautious, perhaps over cautious, about online shopping.

One respondent commented: "Important subject - but I don't know much about it!" Clearly there is a knowledge gap, that somehow needs to be filled. It is too easy to say that users can't be bothered with security, because they have a direct interest in it. They want to protect their work. More needs to be done to raise awareness of their dependence on each other in maintaining secure environment for all. It is true that security can be seen as not the work in hand, merely a precondition of safe completion of it. There is no doubt that it is difficult to present the information they need at the right time and in the right way for users to take the trouble to absorb it. However it is probably true though that draconian lists of dos but mostly don'ts is not the best way to express them.

Conclusions

It is our conclusion that users are well motivated about security in their own use of computers, within reason. They are not reckless in their practices. For every question there was a small fraction of people with 'dangerous' attitudes. But a majority viewed things responsibly and reflected apparently sensible behaviour, with some notable gaps in knowledge and a sense of generalised uncertainty.

As part of the project we began to explore a number of ways to increase awareness. The survey suggested that there are relatively few clear cut links between role and attitude, so blanket education is required, rather than focussing on particular role based groups. We examined three approaches that seemed to have some potential:

Firstly a simple email message or web page drawing attention to common vulnerabilities and errors. This is a simple, direct, scaleable way to raise awareness. A quick way to reach a lot of people.

Secondly a discussion orientated awareness raising session, using items from the press to spark off discussion. This proved to be a good way to explore awareness of policies and risks, on the side of those giving the session, as well as raising consciousness and awareness among attendees.

A third method is a series of scenarios presented to users as part of a forced password change session. This is the approach taken by James Maddison University (4). Some will see it as too intrusive. User feedback is positive, though. Perhaps this reflects James Maddison's philosophy of stressing the ethical dimensions of computer security, and not being heavily didactic.

Universities have particular problems in creating security awareness and disciplines. The population of users is large and the turn over in them is rapid. They are organisations that in their essence value discussion and debate. They are not command organisations where instructions from the top are followed routinely without question. A consensual security culture seems the most appropriate approach.

Further research is needed into the pattern of attitudes and behaviour and how to change them. Our own questionnaire exists as a resource for reuse in local studies. Some institutions were doing better than others, judged by attitudes and reported problems. This suggests that there needs to be greater sharing of best practice.

Readers may be interested to note that JISC Assist are organising two workshops for JCAS in January 2002 (5). We hope they will be an opportunity to take discussion further.